b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n          OFFICE OF THE SECRETARY\n\n          Program for Designating Positions\n       According to Their Risk and Sensitivity\n       Needs to Be Updated and Strengthened\n\n\n   Final Inspection Report No. OSE-14486/September 2001\n\n\n\n\n                            PUBLIC\n                            RELEASE\n\n\n\n                            Office of Systems Evaluation\n\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0cU.S. Department of Commerce                                                    Final Inspection Report OSE-14486\nOffice of Inspector General                                                                       September 2001\n\n\n\nDirector of Human Resources Management on these issues. Both generally concurred with our\nconclusion that the Department\xe2\x80\x99s program for designating positions and conducting and\nrecording background investigations need to be updated and strengthened, as well as with our\npreliminary recommendations, and they immediately advised us of their plan to form a joint team\nto address these issues. We then held meetings with the Deputy Assistant Secretary for Security\nand the Director of Human Resources Management and members of their staffs at which they\npresented information on their roles and responsibilities, plans to address our findings and\nrecommendations, and tentative dates for completion of proposed corrective actions.\n\nThe Chief Financial Officer and Assistant Secretary for Administration agreed with the findings\nand recommendations of our draft report, and the Deputy Assistant Secretary for Security and the\nDirector of Human Resources Management are coordinating the development of a plan to\nimplement our recommendations. The response to our draft report is included as an attachment\nto this report and constitutes the action plan. We will consider the matter resolved when we\nreceive a copy of the plan referenced in the response.\n\nINTRODUCTION\n\nThe Department of Commerce has numerous positions that involve policy-making, major\nprogram responsibility, public safety and health, law enforcement, fiduciary responsibilities, and\nother duties demanding a significant degree of public trust. Many Commerce positions involve\naccess to or operation or control of financial records, which, if misused, pose a significant risk\nfor causing damage or realizing inappropriate personal gain. These types of positions are\nconsidered to have high or moderate risk levels and would normally be designated as \xe2\x80\x9cpublic\ntrust\xe2\x80\x9d positions. Agency heads are required to designate every competitive service position\nwithin the agency at a high, moderate, or low risk level as determined by the position\xe2\x80\x99s potential\nfor adversely affecting the efficiency and integrity of government programs and operations.3\n\nCommerce also has positions that could allow employees to have a material adverse effect on\nnational security. Agency heads are similarly required to designate such positions according to\ntheir level of sensitivity\xe2\x80\x94nonsensitive, non-critical sensitive, critical sensitive, and special\nsensitive.4\n\nGuidance for designating positions within the Department according to the four national security\nsensitivity levels and for determining the type of background investigation appropriate for each\nlevel is contained in the Commerce Personnel Security Manual. This manual, which was issued\n\n       3\n        Positions designated as low risk are not considered \xe2\x80\x9cpublic trust\xe2\x80\x9d positions.\n       4\n        5 CFR 731, Suitability and 5 CFR 732, National Security Positions.\n\n                                                         2\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-14486\nOffice of Inspector General                                                             September 2001\n\n\n\nby the Office of Security in December 1988, implemented then-current Federal Personnel\nManual (FPM) chapters 731 (Personnel Suitability), 732 (Personnel Security), 736 (Personnel\nInvestigations), and 754 (Suitability Disqualification Actions). In November 1989, the\nDepartment\xe2\x80\x99s Office of Personnel and Civil Rights issued the final version of Department\nAdministrative Order (DAO) 202-731, Position Sensitivity for Personnel Suitability and\nPersonnel Security Purposes, which established the four-level system for designating the\nsensitivity of positions for personnel suitability and national security purposes as described in\nFPM chapters 731 and 732.\n\nWhen DAO 202-731 was issued in 1989, positions having a potential impact on efficiency and\nintegrity (i.e., public trust positions) were designated according to the same sensitivity levels as\npositions dealing with national security. For example, a position that required the employee to\ndeal regularly with sensitive economic information that is not available to the public might have\nbeen designated as critical sensitive, but without a need to access national security information.\nHowever, in 1991, the Office of Personnel Management (OPM) issued Appendix A to 731\nSubchapter 5 of the FPM. This appendix provided guidance and criteria for designating\npositions of public trust, such as those dealing with development of Principal Federal Economic\nIndicators, as high, moderate, or low risk. It also specified the type of background investigation\nappropriate for each of these risk levels. However, the FPM was abolished in December 1993.\n\nOn December 28, 2000, OPM published revised regulations in the Federal Register concerning\nthe designation of positions based on risk level and the associated background investigation\nrequirements. These regulations, found at 5 Code of Federal Regulations Part 731, became\neffective on March 30, 2001; however, they do not provide details, such as those provided by\nFPM Appendix A, for designating position risk levels and do not identify background\ninvestigation requirements for the various risk levels. Rather than including these details in the\nregulations, OPM decided to offer federal agencies training on designating position risk levels\nand determining appropriate background investigations. Although the revised regulations only\naddress risk levels, the training also provides guidance on designating position sensitivity levels\nand determining appropriate background investigations for positions dealing with national\nsecurity. OPM\xe2\x80\x99s Federal Investigations Notice No. 01-08, dated March 19, 2001, provides\ndetails about the available training.\n\nAdditionally, because of the abolishment of the FPM, the revised regulation includes a section\noutlining OPM\xe2\x80\x99s and agencies\xe2\x80\x99 responsibilities for personnel security associated with the design,\noperation, and use of federal automated information systems, as required by OMB Circular A\n130, Management of Federal Information Resources, and the Computer Security Act. OPM\xe2\x80\x99s\ntraining addresses the designation of positions dealing with federal automated information\nsystems from both the risk and sensitivity perspectives.\n\n\n                                                  3\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-14486\nOffice of Inspector General                                                          September 2001\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of this evaluation was to assess the Department\xe2\x80\x99s program for designating\npositions of employment according to their impact on the efficiency and integrity of government\nprograms and operations or on national security and for ensuring that appropriate background\ninvestigations are performed. We reviewed applicable Department Administrative Orders, as\nwell as manuals and information provided by OPM, and held discussions with representatives\nfrom the Department\xe2\x80\x99s Office of Security (OSY) and the Office of Human Resources\nManagement (OHRM). To ascertain whether the issues raised in our work on Advance Retail\nSales were of concern in other areas of the Department, we reviewed guidance from human\nresources management offices for selected operating units, as well as background investigation\nrecords.\n\nOur evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency, and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Departmental Organization Order 10-13,\ndated May 22, 1980, as amended.\n\nFINDINGS AND RECOMMENDATIONS\n\nDepartment guidance for designating positions according to their impact on the efficiency and\nintegrity of government programs and operations or on national security is out of date and needs\nto be revised immediately and promulgated to all Commerce operating units. Furthermore, the\nDepartment\xe2\x80\x99s records of background investigations conducted for employees are incomplete and\nneed to be updated. Finally, the Department needs to ensure that its operating units understand\nand are implementing the new guidance.\n\nI.\t    Department Guidance for Designating Positions is Out of\n       Date, and Positions are Designated Incorrectly\n\nDAO 202-731and the Personnel Security Manual are the official Department-level documents\nthat provide guidance for designating positions according to their potential impact on the\nefficiency and integrity of government programs and operations or the national security and for\nconducting appropriate background investigations. However, because these documents were\nissued in 1989 and 1988, respectively, they do not address important changes to position\ndesignation and investigation guidance brought about by modifications to the FPM, 5 Code of\nFederal Regulations, and OMB Circular A-130. Neither the DAO nor the security manual\nincludes guidance for assigning risk levels to positions that could affect the efficiency and\nintegrity of government programs and operations, or conducting associated background\ninvestigations. Each document should have been updated and reissued as changes to the FPM, 5\n\n                                               4\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14486\nOffice of Inspector General                                                            September 2001\n\n\n\nCFR, and OMB Circular A-130 were made. As noted earlier, rather than developing detailed\nimplementation guidance, OPM decided to offer federal agencies training that is consistent with\ncurrent regulations for designating position risk and sensitivity levels and determining\nappropriate background investigations.\n\nIn March 1993, OHRM issued Departmental Notice 93-2 to implement the changes in the FPM\nand 5 CFR, which clarified the distinctions between suitability and national security requirements\nand added a system of risk designation and investigative requirements. DAO 202-731 should\nhave been modified to incorporate the requirements of the notice before its expiration date of\nSeptember 30, 1993. However, DAO 202-731 was never modified and reissued. The Personnel\nSecurity Manual should also have been modified to include the departmental guidance. A 1995\ndraft version of the Personnel Security Manual included much of the guidance, but was never\nfinalized by OSY.\n\nBecause DAO 202-731 and the Personnel Security Manual have not kept pace with changes that\naffected all federal agencies, Commerce operating units have no current, official Department-\nlevel guidance for designating public trust and national security positions and conducting\nappropriate background investigations. As a result, some positions of public trust within the\nDepartment and its operating units are designated according to national security sensitivity levels\nrather than the appropriate risk levels, a circumstance that can lead to inappropriate background\ninvestigations. Also, risk levels for some positions are inconsistent with their level of\nresponsibility and trust.\n\nMoreover, the responsibility and authority of personnel involved in the designation process are\nnot clear, and human resources, security, and management officials do not always understand\ntheir responsibilities. DAO 202-731 names the head of the operating unit as the responsible\nofficial for ensuring that the sensitivity designations of positions are accurate and for making the\ndesignations. Supervisors are responsible for making recommendations to designating officials\non sensitivity levels for positions. The order permits the designation authority to be redelegated\nonly to officials to whom full personnel management authority has been delegated. Servicing\npersonnel officers are to review position designations for adherence to level definitions and\nconsistency across similar positions and to provide advice and guidance, as needed. Disputes\nbetween personnel officers and designating officials are to be resolved by the next higher\nmanagement level. Servicing personnel officers also are responsible for initiating the appropriate\npersonnel investigation. Servicing security officers are to provide advice and guidance to\ndesignating officials in cases involving access to classified information or other national security\nissues.\n\nDepartmental Notice 93-2 attempted to revise this authority, including giving managers increased\nresponsibility and authority. It delegated authority for position sensitivity and risk level\n\n                                                 5\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-14486\nOffice of Inspector General                                                                        September 2001\n\n\n\ndesignation to the heads of operating units, principal personnel officers, and servicing personnel\nofficers, but allowed heads of operating units to authorize subordinate managers and supervisors\nto designate risk levels. It also made supervisors responsible for determining whether, and to\nwhat extent, a position requires access to national security information. Heads of operating units\nwere to arbitrate disputes between managers and personnel officers regarding sensitivity and risk\nlevel designations. Servicing personnel officers were to be responsible for keeping position\nsensitivity and risk designations current for the National Finance Center personnel/payroll\nsystem, and security officers were responsible for assuring that investigation requests by\nmanagement were consistent with the data going to the Finance Center and for initiating the\ninvestigation process. The notice also included provisions for suitability adjudication.5\nHowever, as noted previously, the notice expired in September 1993.\n\nAs a result of our discussions, OHRM and OSY have begun to coordinate efforts to update DAO\n202-731 and the Personnel Security Manual to reflect the current governing regulations and\nshould continue this new process. However, the Department needs to assess the responsibilities\nand authorities associated with position sensitivity and risk designations, including the role of\nmanagers; determine how the responsibilities and authorities will be allocated; and ensure that\nthey are understood by managers, personnel officials, and security officials. In addition,\nmanagers and staff from OHRM and OSY should (1) attend OPM-approved training on\ndesignating position risk and sensitivity levels and determining appropriate background\ninvestigations, (2) update DAO 202-731 and the Personnel Security Manual to include OPM\xe2\x80\x99s\nlatest guidance and clearly identify the roles and responsibilities of heads of operating units,\nsubordinate managers and supervisors, servicing personnel officers, and security officers, and (3)\ndistribute revised departmental guidance to all operating units.\n\nII.\t     Records of Investigations Are Incomplete, and\n         Employees Lack Appropriate Investigations\n\nThe Department lacks current and complete information on employee risk or sensitivity levels\nand the type and currency of the investigations, if any, conducted for employees. During our\nevaluation of the Census Bureau\xe2\x80\x99s Advance Retail Sales economic indicator, we noted that OSY\nwas unable to provide investigation records for many employees in the Census Bureau\xe2\x80\x99s\nEconomic Programs Directorate. OSY currently uses two automated systems to track the type of\ninvestigation performed and the date the investigation was completed; however, in many cases,\nneither system contains the needed information. Our Census Bureau evaluation also found that,\n\n\n\n         5\n          Suitability adjudication means assessing an individual\xe2\x80\x99s past and present conduct for indications of\nprobable future actions with adverse impact on the efficiency of the service and includes deciding to take action\nbased on pre-employment factors, such as falsification of application documents.\n\n                                                          6\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14486\nOffice of Inspector General                                                           September 2001\n\n\n\nin some cases, employees did not have the level of background investigation required by the risk\nlevel of their positions.\n\nIn a later review of a sample of investigation records provided by OSY for employees of the\nNational Institute of Standards and Technology, the Bureau of Export Administration, and the\nNational Oceanic and Atmospheric Administration, we found additional instances where\nemployees did not have the level of background investigation required by the sensitivity or risk\nlevel designation of their positions. In some cases, the level of background investigation was too\nlow and thus would not provide assurance that employees could be trusted with the information\nto which they have access. In other cases, the level was too high and, hence, unnecessarily\nexpensive and intrusive. The sample also contained records indicating what type of investigation\nwas conducted and when it was conducted, but did not include the position designation, which is\nneeded to determine whether the appropriate level of investigation had been conducted, and thus,\nis not an effective management tool. A further indication of problems is that the Department\nbegan participating in a pilot project with OPM in 1998 to enter agency investigation data into\nOPM\xe2\x80\x99s Suitability Investigations Index database, but, according to OSY, later withdrew from the\nproject because of a lack of confidence in the data.\n\nThe Department should maintain an accurate database that indicates the position designation and\ninvestigation data for all employees. The data should indicate the employee\xe2\x80\x99s risk or sensitivity\nlevel, as well as what type of investigation was conducted and when it was conducted. Without\naccurate data, it is impossible to determine whether employees have had the appropriate\nbackground investigation and are suitable to fill their positions based on the sensitivity or risk\ndesignation. Having a database that contains accurate investigation data for each employee is\nalso important because the database can be used to automatically notify security personnel when\nreinvestigations are due to be conducted.\n\nIII.\t   Recommendations\n\nWe recommend that the Chief Financial Officer and Assistant Secretary for Administration take\nthe necessary actions to:\n\n2.\t     Assess the responsibilities and authorities associated with position sensitivity and risk\n        designations, determine how they should be allocated, and ensure that they are understood\n        by managers, personnel officials, and security officials.\n\n3.\t     Ensure that managers and staff from OHRM and OSY attend OPM-approved training for\n        designating risk-based and sensitivity-based positions and for determining appropriate\n        background investigations.\n\n\n                                                7\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-14486\nOffice of Inspector General                                                          September 2001\n\n\n\n4.\t    Ensure that OHRM and OSY continue to coordinate their efforts for developing revisions\n       to DAO 202-731 and the Personnel Security Manual according to OPM regulation and\n       guidance, and ensure that roles and responsibilities of heads of operating units,\n       subordinate managers and supervisors, servicing personnel officers, and security officers\n       are clearly stated.\n\n5.\t    Ensure that Commerce operating unit human resources and security personnel receive\n       appropriate training and that they can implement the new regulations and guidance.\n\n6.\t    Ensure that heads of operating units, subordinate managers, and supervisors are aware of\n       and can implement their roles and responsibilities for position designation.\n\n7.\t    Require OSY and OHRM to improve record keeping to ensure that background\n       investigation data is accurately maintained for all employees.\n\n8.\t    Direct OHRM and OSY to develop a plan to determine whether current positions within\n       the Department are properly designated according to risk or sensitivity level, appropriate\n       background investigations have been conducted, and reinvestigations are being conducted\n       as necessary.\n\n\n\n\nAs noted previously, the Chief Financial Officer and Assistant Secretary for Administration\nagreed with the findings and recommendations of our draft report, and the Deputy Assistant\nSecretary for Security and the Director of Human Resources Management are coordinating the\ndevelopment of a plan to implement our recommendations. The response to our draft report is\nincluded as an attachment to this report and constitutes the action plan. We will consider the\nmatter resolved when we receive a copy of the plan referenced in the response.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our review.\n\nAttachment\n\n\n\n\n                                               8\n\n\x0c'